There once was a time not all that long ago when security teams could plead ignorant to IT security risks, with minimal possible consequence in terms of any significant damage coming to the company. Those days are long gone. We’ve reached an era where the "I see nothing" perspective no longer works for network security. In today’s era of advanced cyberattacks, information security is too important an element of business success to dismiss.
In fact, ignorance of information security matters is prohibitively costly, as regulators can use it to justify the imposition of fines. Take GDPR’s penalty scheme , for example. Is ignorance of digital security worth 20 million or 4 percent of an organization’s global annual revenue? That’s just one data protection standard -- others such as Australia’s Notifiable Data Breaches (NDB) scheme and the NY Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Institutions come with their own fines and penalties. Given that we’re also in the era of insufficient resources, the challenge for security teams is how to deploy limited resources to have the greatest impact. As the title of this post makes clear, the obvious answer is to stop spending time on the wrong things.Start with the Golden Triangle of People, Process, and Technology
Organizations know they need to do something for information security. However, not all of them know exactly what to do. Part of the problem could be that they haven’t prioritized the right projects or properly aligned their security program with their business processes. These misalignments may, in turn, breed security distractions with their people, process, and technology :People : Without proper direction, security professionals may underestimate certain threats and overestimate others. They might also lack the necessary infosec knowledge and experience to protect the organizations against a variety of exploit vectors that threaten the business every day. Process : Organizations might not integrate effective IT metrics into their processes, or out of confusion for what processes are important, they might fund lots of different projects that limit the possibility of all of them being completed correctly. Companies might also focus on compliance and not security. Through compliance, organizations can fulfill requirements specified by PCI, HIPAA and other regulations, but compliance alone doesn’t ensure that organizations can maintain these same levels of security over time or implement sufficient security controls based on the needs of the business. Technology : Not all solutions are equipped to handle today’s digital security challenges. Some are well suited to defend only against old threats or are tuned only to a specific type of attack. Such shortcomings can produce deep holes in an organization’s network visibility.
The security distractions discussed above are all indicators of a misdirected security policy. As related by the SANS Institute , the overarching point of a security policy is to identify an organization’s goal for security. This policy should be sufficiently flexible to account for new threats, with every remediation effort acting in the service of the greater security goal. It also needs to discuss auditing processes for security as well as account for the interest of employees, third-party companies, and the business goals of the organization. There is no room for tangents or side-projects. Risk assessments, employee education, and what do to in response to security violations must take center stage.
With a well-crafted security policy, organizations can focus on the right things. These priorities vary from business to business based on their goals. But certain common denominators stand out, as described below.Insiders As the Most Common Source of Data Breaches
Reality doesn’t always match organizations' expectations about digital risk. For instance, companies are prone to think that the greatest risk comes from external attackers. That’s not true.
Netwrix found in its third annual IT risks survey that insiders are far more dangerous than hackers, with physical damage most commonly resulting from malicious internal activity or honest mistakes, instances of negligence, or sheer bad luck involving employees. Half of the breaches analyzed resulted from errors caused by regular business users, which matches up to the Netwrix’s finding that nearly half (44 percent) of respondents either did not know or were unsure how their employees generally interact with sensitive files. This oversight made it possible for simple mistakes committed by regular business users, IT team members, and mid-level managers to become the leading cause of data loss (50 percent), data breaches (29 percent), and property theft (22 percent). Human errors were also the second greatest cause of system disruptions.
The results of Netwrix’s survey reveal that many companies don’t know what’s going on in their IT environment, especially when it comes to how insiders are interacting with critical systems and data. It doesn’t have to be this way. Organizations can respond by monitoring employee behavior, investing in ongoing security awareness training and implementing access controls. These measures don’t just stem the tide of human errors; they also help grow the organization’s security culture with trained employees as the first line of defense.Organizations Need To Take Information Security Basics Seriously
Business values play a significant part in shaping an organization’s information security program, meaning the framework at one company will likely differ from one at another. Despite these differences, the same security controls tend to make up the heart of any robust information security program. This means that organizations would do well to take the basics seriously if they want to mitigate their own digital risk.
There are many different fundamentals on which organizations can focus their information security efforts. Three, in particular, stand out:Unapproved IT Systems : Companies can’t adequately protect their assets if they don’t know they’re there. That’s why organizations need to keep an up-to-date inventory of all authorized hardware and software connected to the network. They could place themselves in an even better position by establishing a secure baseline configuration for all of these assets and monitoring for changes, both approved and unapproved. Patching : No organization has the ability to apply every software patch quickly. Companies should, therefore, consider developing a vulnerability management program that in part analyzes security flaws and prioritizes them based on their assessed threat level. Businesses can then use that ranking to develop a patching schedule. Towards that end, organ